Taking Reasonable Steps

We just had the absolute pleasure of spending several days at the 2017 Northeast Regional Carwash Convention.  We met some terrific people and some great companies.  In several of the conversations we had, the subject of cyber-liability insurance came up and if their insurance policies covered them for any financial losses in the event of a breach.  There is no clear answer but I wanted to use this platform to give the readers some things to consider.

  1. Am I covered?  The short answer if you are protected is, it depends.  Each insurer will have different standards and different rules on this, sometimes even varying policy to policy.  While many liability polices will offer a rider for cyber security, there are often some additional steps that have to be taken.  Make sure to have a deep understanding of your policy and what is required of your business in order to meet the minimum requirements.  Often, companies think they are covered only for the claim to be denied in the event of a financial loss.
  2. Do I have to do anything to maintain coverage?  You must take reasonable steps to mitigate the risk.  This is a big one and usually ignored.  If you are not testing your network, updating your policies on the devices, or checking for skimmers then you may not be covered.  You haven’t taken reasonable steps to mitigate the risks and look for an issue.  For example, your homeowners insurance will replace a roof if it is damaged in a storm.  But they will not fix mold in the walls if the leak wasn’t a sudden event and a result of water dripping over time.  That is a huge difference!  They are basically saying that if you don’t maintain your home we will not be held liable for the water damage, the homeowner didn’t take reasonable steps.  Most people assume eh homeowners policy covers mold, but it doesn’t all the time.  The same is true for cyber.
  3. Is my IT vendor liable?  Again the answer is, it depends.  If the IT company is being negligent and not performing maintenance that they were hired for, then they could be liable for part of the damages.  However, if you just assume they are handing it but they are not contracted to perform security, you would be liable because you haven’t hired anyone to perform the audits.  Additionally, you have to understand it is ultimately your responsibility and you should contract a third party to check the work the IT provider was doing.  At the end of the day, we think it was Target who lost our data.  No one blames the vendor who started the whole security breach!  You will be held guilty in the eyes of the public so it is time you take steps to protect the businesses.  Use a security company to test the network, not someone who wants to sell you IT services.
  4. My software vendor says they have secure credit card processing, are they liable?  Maybe, maybe not.  Depends on where the data loss occurred.  If the loss was on your property because of a skimmer, it isn’t their fault.  If the loss occurs in their database that you pay them to host, then yes they would be liable.  But odds are you signed a contract that said they aren’t liable, so this would be a matter for lawyers to fight out.  But at the end of the day, you picked the software vendor and you will be blamed publicly just like Target was.  So be careful who you pick as your software vendor.  Make sure to request copies of their security assessments and find out how often they use a third party to test themselves.  Do your due diligence.
  5. I filled out the PCI questionnaire, and I protected?  Absolutely not.  The questionnaire you filled out is just for reporting.  Since companies lie on these every day they do nothing to mitigate the risk.  It is just a document for reporting.  You need to test your own network.  The questions are good and can go a long way towards security, if they are answered honesty and you hire the right folks to do the work.

At the end of the day, you have to take the steps to protect your business.  Insurance will not necessarily be there when you need it and you may be liable for the breach.  You can’t phone this in, hire the right firm and do the work.